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Question: 1 


Your network contains an Active Directory domain named contoso.com. The domain contains 1,000 
client computers that run Windows 10. 

A security audit reveals that the network recently experienced a Pass-the-Hash attack. The attack was 
initiated from a client computer and accessed Active Directory objects restricted to the members of 
the Domain Admins group. 

You need to minimize the impact of another successful Pass-the-Hash attack on the domain. 

What should you recommend? 


A. Instruct all users to sign in to a client computer by using a Microsoft account. 

B. Move the computer accounts of all the client computers to a new organizational unit (OU). 
Remove the permissions to the new OU from the Domain Admins group. 

C. Instruct all administrators to use a local Administrators account when they sign in to a client 
computer. 

D. Move the computer accounts of the domain controllers to a new organizational unit (OU). Remove 
the permissions to the new OU from the Domain Admins group. 


Answer: C 


Explanation: 
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Feature Remote Desktop Remote Credential Guard Restricted Admin mode 
Protection Credentials on the User credentials remain on User logs on to the server as 
benefits server afe not the client. An attacker can local administrator, so an 
protected from Pass- act on behalf of the user attacker cannot act on behalf 
the-Hash attacks only when the session is of the "domain user’, Any 
ongoing attack is local to the server 
Version The remote Both the client and the The remote computer must be 
support computer can run remote computer must be running at least patched 
any Windows running at least Windows Windows 7 or patched 
operating system 10, version 1607, or Windows Server 2008 R2. 
Windows Server 2016. 
For more information about 
patches (software updates) 
related to 
mode, see Microsoft Security 
Advisory 2871997. 
Helps prevent N/A 
e Pass-the-Hash Pass-the-Hash 
e Useofa Use of domain 
credential after identity during 
disconnection connection 
Credentials 
supported * Signed on e Signed on *® Signed on 
from the credentials credentials only credentials 
remote s Supplied è Supplied credentials 
desktop client credentials ® Saved credentials 
device * Saved 
credentials 


Question: 2 


Your network contains an Active Directory forest named contoso.com. The forest functional level is 
Windows Server 2012. All servers run Windows Server 2016. 

You create a new bastion forest named admin.contoso.com. The forest functional level of 
admin.contoso.com is Windows Server 2012 R2. 

You need to implement a Privileged Access Management (PAM) solution. 

Which two actions should you perform? Each correct answer presents part of the solution. 


A. Raise the forest functional level of admm.contoso.com. 
B. Deploy Microsoft Identify Management (MIM) 2016 to admin.contoso.com. 
C. Configure contoso.com to trust admin.contoso.com. 
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D. Deploy Microsoft Identity Management (MIM) 2016 to contoso.com. 
E. Raise the forest functional level of contoso.com. 
F. Configure admin.contoso.com to trust contoso.com. 


Answer: DE 


Explanation: 


Windows Server 2016 forest functional level features 


e All of the features that are available at the Windows Server 2012R2 forest functional level, 
and the following features, are available: 
o Privileged access management (PAM) using Microsoft Identity Manage! (MIM) 
For the bastion forest which deploys MIM, you should raise the Forest Functional Level to “Windows 


Server 
2016” 


Question: 3 


Your network contains an Active Directory domain named contoso.com. The domain contains two 
servers named Server1 and Server2 that run Windows Server 2016. 

Server1 is configured as a domain controller. 

You configure Server1 as a Just Enough Administration (JEA) endpoint You configure the required JEA 
rights for a user named User1. 

You need to tell User1 how to manage Active Directory objects from Server2. 

What should you tell User1 to do first on Server2? 


A. From a command prompt, run ntdsutil.exe. 

B. From Windows PowerShell, run the Import-Module cmdlet. 

C. From Windows PowerShell run the Enter-PSSession cmdlet. 

D. Install the management consoles for Active Directory, and then launch Active Directory Users and 
Computer. 


Answer: C 


Explanation: 
References: 


https://blogs.technet.microsoft.com/privatecloud/2014/05/14/just-enough-administration-step-by- 


Question: 4 


Your network contains an Active Directory domain named contoso.com. The domain contains 100 
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servers. 
You deploy the Local Administrator Password Solution (LAPS) to the network. 

You deploy a new server named FinanceServer5, and join FinanceServerS to the domain. 

You need to ensure that the passwords of the local administrators of FinanceServer5 are available to 
the LAPS administrators. 

What should you do? 


A. On FinanceServerS, register AdmPwd.dll. 

B. On FmanceServerS, install the LAPS Windows PowerShell module. 

C. In the domain, modify the permissions for the computer account of FmanceServer5. 

D. In the domain, modify the permissions of the Domain Controllers organizational unit (OU). 


Answer: A 


Explanation: 
References: 
https://gallery.technet.microsoft.com/Step-by-Step-Deploy-Local-7c9ef772 


Question: 5 


Your network contains an Active Directory domain named contoso.com. The domain contains four 
servers. The servers are configured as shown in the following table. 


[pcl sid Windows arian 2012 R2 


Do | Domain core ¥ | Windows Server 2012 
[Fst Fileserver | Windows Server 2016 
Windows Server 2012 R2 


You need to manage FS1 and FS2 by using Just Enough Administration (JEA). 
What should you do before you can implement JEA? 


A. Install Microsoft .NET Framework 4.6.2 on FS1 

B. Upgrade DC1 to Windows Server 2016 

C. Install Windows Management Framework 5.0 on FS2. 

D. Deploy Microsoft Identity Manager (MIM) 2016 to the domain. 


Answer: C 


Explanation: 

https://msdn.microsoft.com/en-us/library/dn896648.aspx 

The current release of JEA is available on the following platforms: 

-Windows Server 2016 Technical Preview 5 and higher 

-Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2* with Windows 
Management Framework 5.0 installed 

FS1 is ready to be managed by JEA, but FS2 need some extra work to do, either upgrade it to 
Windows Server 

2016 or install Windows Management Framework 
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5.0 installed, 


Question: 6 


HOTSPOT 

Your network contains an Active Directory forest named contoso.com. 

The forest has Microsoft Identity Manager (MIM) 2016 deployed. 

You implement Privileged Access Management (PAM). 

You need to request privileged access from a client computer in contoso.com by using PAM. 

How should you complete the Windows PowerShell script? To answer, select the appropriate options 
in the answer area. 


| <a 


Answer Area 


SPAN = = | ? { $.,0isplayName -eq “CorpAdmins™ } 
Get-PAMRoleForRequest 

Get-PAMUser 
New-PAMRequest 


v -role $PAN 


Answer: 


SPAM = Get-PAMRoleForRequest | ? {S_ DisplayName -eq “CorpAdmins” } 
New-PAM Request -role SPAM 


Explanation: 
References: 
https://technet.microsoft.com/en-us/library/mt604089. aspx 
https://technet.microsoft.com/en-us/library/mt604084.aspx 


Question: 7 


Your network contains an Active Directory domain named contoso.com. The domain contains five 
servers. All servers run Windows Server 2016. 

A new secunty policy states that you must modify the infrastructure to meet the following 
requirements: 

*Limit the nghts of administrators. 

*Minimize the attack surface of the forest 

*Support Multi-Factor authentication for administrators. 

You need to recommend a solution that meets the new security policy requirements. 

What should you recommend deploying? 


A. an administrative forest 
B. domain isolation 
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C. an administrative domain in contoso.com 
D. the Local Administrator Password Solution (LAPS) 


Answer: A 


Explanation: 


You have to “-Minimize the attack surface of the forest”, then you must create another forest for 
administrators. 
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing- 


privilegedaccess-reference-material#ESAE BM 
This section contains an approach for an administrative forest based on the Enhanced Security 


Administrative 

Environment (ESAE) reference architecture deployed 

by Microsoft’s cybersecurity professional services teams to protect customers against cybersecurity 
attacks. 

Dedicated administrative forests allow organizations to host administrative accounts, workstations, 
and groups in an environment that has stronger security controls 

than the production environment. 


Question: 8 


DRAG DROP 

Your network contains an Active Directory domain. 

You install Security Compliance Manager (SCM) 4.0 on a server that runs Windows Server 2016. 
You need to modify a baseline, and then make the baseline available as a domain policy. 
Which four actions should you perform in sequence? 
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Export the baseline as a Group Policy Object 
(GPO) backup 


Duplicate a baseline. 


Modify the settings of a baseline. 


Import settings into a Group Policy object 
(GPO) 


Export the baseline as a Microsoft 
Excel file 


Export the baseline as a SCAP file 


Restore a Group Policy Object (GPO) from a 
backup 


Answer: 


1. Duplicate a baseline. 

2. Modify the settings of a baseline. 

3. Export the baseline as a Group Policy Object (GPO) backup 
4. import settings into a Group Policy object (GPO) 


Question: 9 


Your network contains an Active Directory domain named contoso.com. All domain controllers run 
Windows Server 2016. 

The domain contains a server named Serverl that has Microsoft Security Compliance Manager (SCM) 
4.0 installed. 

You export the baseline shown in the following exhibit. 
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|) (2617e9b1-9672-492b-aefa-0505054848c2} GHA 


o v 4 |] « Export > {261769b.. lOl | Search (26... 9 


|_| DomainSysvol 
“=| Backup 


 bkupinfo 


You have a server named Server2 that is a member of a workgroup. 

You copy the (2617e9b1-9672-492b-aefa-0505054848c2) folder to Server2. 
You need to deploy the baseline settings to Server2. 

What should you do? 


A. Download, install, and then fun the Lgpo.exe command. 

B. From Group Policy Management import a Group Policy object (GPO). 

C. From Windows PowerShell, run the Restore-GPO cmdlet. 

D. From Windows PowerShell, run the Import-GPO cmdlet. 

E. From a command prompt run the secedit.exe command and specify the /import parameter. 


Answer: D 


Explanation: 
References: 


Question: 10 


Your network contains an Active Directory domain named contoso.com. The domain contains a 
server named Serve1, that runs Windows Server 2016. 

A technician is testing the deployment of Credential Guard on Server 1. 

You need to verify whether Credential Guard is enabled on Server1. 

What should you do? 


A. From a command prompt fun the credwiz.exe command. 


B. From Task Manager, review the processes listed on the Details tab. 
C. From Server Manager, click Local Server, and review the properties of Server! 
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D. From Windows PowerShell, run the Get-WsManCredSSP cmdlet. 


Answer: B 


Explanation: 


https://yungchou.wordpress.com/2016/10/10/credential-guard-made-easy-in-windows-10-version- 


1607/ 


The same as before, once Credential Guard is properly configured, up and running. 
You should find in Task Manager the ‘Credential Guard’ process and ‘Isaiso.exe’ listed in the Details 
page as below. 


be Task Manager 
File Options View 
Processes Performance Apphistory Startup Users Details Services 


0% 


Name vory Network 
fo} Cortana Background Task Host 0% 3.6 MB OMB/s 0Mbps 
© Credential Guard O MB/s 0 Mbps 
BW Device Association Framework ~. 0 X 39MB O MB/s «0 Mops 


Fewer details 


WJ Task Manager 
File Options View 


Processes Performance App history Startup Users Details Services 


Name PID Status User name CPU Memory (pn... Description 

ra explorer.exe 5532 Running yunge 00 39,764 K Windows Explorer 

E Lsalso.exe Running SYSTEM 00 1,352 K Credential Guard 

E Isass.exe Running SYSTEM 00 12,092 K Local Security Authority Process 
T MBAMAgentexe Running SYSTEM 00 1,556 K MBAMAgent 
Eamicrosoftédge.exe Suspended yunge 00 18,456 K Microsoft Edge 
E}microsoftedgeCP.exe Suspended yunge 00 20,704 K Microsoft Edge Content Process 


Fewer details End task 
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